RE: [PHP] How to open random Flash page with hyperlink?
Curt, Your absolutely right it is a security hole, however the response was a quick solution without much thought in regards to the security integrity of the script. > -Original Message- > From: Curt Zirzow [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 26 August 2003 01:04 > To: [EMAIL PROTECTED] > Subject: Re: [PHP] How to open random Flash page with hyperlink? > > > * Thus wrote Cody Phanekham ([EMAIL PROTECTED]): > > Murugesan, > > > > main.php: > > > session_name("mysessionname"); > > session_start(); > > if (!$s_authed) // check access > > { > > // user hasnt been authorised, therefore redirect to login page > > This is exactly why register globals is turned off by default now. > > This is a major security hole, I can simply put in the url: > http://host/main.php?s_authed=1 > > And I would be considered authenticated, throughout the site. > > Please turn register_globals off and use the $_SESSION variable to > access your session vars. > > > Curt > -- > "I used to think I was indecisive, but now I'm not so sure." > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > * This e-mail, including any attachments to it, may contain confidential and/or personal information. If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the information contained within it. Please notify the sender immediately by return e-mail of the error and then delete the original e-mail. The information contained within this e-mail may be solely the opinion of the sender and may not necessarily reflect the position, beliefs or opinions of Salmat on any issue. This email has been swept for the presence of computer viruses known to Salmat's anti-virus systems. For more information, visit our website at www.salmat.com.au. * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to open random Flash page with hyperlink?
* Thus wrote Cody Phanekham ([EMAIL PROTECTED]): > Murugesan, > > main.php: > session_name("mysessionname"); > session_start(); > if (!$s_authed) // check access > { > // user hasnt been authorised, therefore redirect to login page This is exactly why register globals is turned off by default now. This is a major security hole, I can simply put in the url: http://host/main.php?s_authed=1 And I would be considered authenticated, throughout the site. Please turn register_globals off and use the $_SESSION variable to access your session vars. Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to open random Flash page with hyperlink?
Really thanks for the support. It worked well. -regards, Murugesan - Original Message - From: "Cody Phanekham" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 25, 2003 11:06 AM Subject: RE: [PHP] How to open random Flash page with hyperlink? Murugesan, I'll assume your redirecting the user to main.php because (s)he has passed the authentication routine... in that case just store the username and password as a session variable that way you wont need to pass the username and password via the url. auth.php, [just before the call to header()]: then in main.php you need to start your session to access the session variables your employee id = $empid and the password you typed was $pwd"; ?> > -Original Message- > From: murugesan [mailto:[EMAIL PROTECTED] > Sent: Monday, 25 August 2003 15:18 > To: Cody Phanekham; [EMAIL PROTECTED] > Subject: Re: [PHP] How to open random Flash page with hyperlink? > > > Thanks for the information. > In the code you provided > > if ((!$passwd) || (!$username)) // user hasnt logged in > { > . > > Actually I have implemented this in a separate page. > > That is upon sign up of the in the index page > I call a new page auth.php > In that file > I have done this authentication and called the function > header ("Location: /main.php?empid=$empid&pwd=$pwd"); > > Actually when passing this URL the password appears in the > address bar. > How to over come this? It will be very much usefull if I get > the answer. > > Thanks in advance > -Murugesan > -- > -- > -- > -- > - > Ok lets say you want every user to login before they can > access other parts > of your site. > > index.php: > session_name("mysessionname"); > session_start(); > session_register("s_authed"); > $s_authed = 0; // initialize session flag > > if ((!$passwd) || (!$username)) // user hasnt logged in > { > // display login form > ... > } > else > { > // retrieve database username and password here > ... > // check if they match > if (($db_passwd == $passwd) && ($db_username == $username)) > { > $s_authed = 1; // user has been authorised > // redirect to real page > echo " > > window.location='main.php' > "; > } > } > ?> > > main.php: > session_name("mysessionname"); > session_start(); > if (!$s_authed) // check access > { > // user hasnt been authorised, therefore redirect to login page > echo " > > window.location='index.php' > "; > } > else > { > // display page > ... > } > ?> > > > if a user tries to access main.php directly without logging > in they will be > redirected to index.php > > checkout http://www.php.net/manual/en/ref.session.php for > more information > > > > > > > > Thanks for the message. > > Can you please tell me how to do session authentication?. > > > > -murugesan > * This e-mail, including any attachments to it, may contain confidential and/or personal information. If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the information contained within it. Please notify the sender immediately by return e-mail of the error and then delete the original e-mail. The information contained within this e-mail may be solely the opinion of the sender and may not necessarily reflect the position, beliefs or opinions of Salmat on any issue. This email has been swept for the presence of computer viruses known to Salmat's anti-virus systems. For more information, visit our website at www.salmat.com.au. * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How to open random Flash page with hyperlink?
Murugesan, I'll assume your redirecting the user to main.php because (s)he has passed the authentication routine... in that case just store the username and password as a session variable that way you wont need to pass the username and password via the url. auth.php, [just before the call to header()]: then in main.php you need to start your session to access the session variables your employee id = $empid and the password you typed was $pwd"; ?> > -Original Message- > From: murugesan [mailto:[EMAIL PROTECTED] > Sent: Monday, 25 August 2003 15:18 > To: Cody Phanekham; [EMAIL PROTECTED] > Subject: Re: [PHP] How to open random Flash page with hyperlink? > > > Thanks for the information. > In the code you provided > > if ((!$passwd) || (!$username)) // user hasnt logged in > { > . > > Actually I have implemented this in a separate page. > > That is upon sign up of the in the index page > I call a new page auth.php > In that file > I have done this authentication and called the function > header ("Location: /main.php?empid=$empid&pwd=$pwd"); > > Actually when passing this URL the password appears in the > address bar. > How to over come this? It will be very much usefull if I get > the answer. > > Thanks in advance > -Murugesan > -- > -- > -- > -- > - > Ok lets say you want every user to login before they can > access other parts > of your site. > > index.php: > session_name("mysessionname"); > session_start(); > session_register("s_authed"); > $s_authed = 0; // initialize session flag > > if ((!$passwd) || (!$username)) // user hasnt logged in > { > // display login form > ... > } > else > { > // retrieve database username and password here > ... > // check if they match > if (($db_passwd == $passwd) && ($db_username == $username)) > { > $s_authed = 1; // user has been authorised > // redirect to real page > echo " > > window.location='main.php' > "; > } > } > ?> > > main.php: > session_name("mysessionname"); > session_start(); > if (!$s_authed) // check access > { > // user hasnt been authorised, therefore redirect to login page > echo " > > window.location='index.php' > "; > } > else > { > // display page > ... > } > ?> > > > if a user tries to access main.php directly without logging > in they will be > redirected to index.php > > checkout http://www.php.net/manual/en/ref.session.php for > more information > > > > > > > > Thanks for the message. > > Can you please tell me how to do session authentication?. > > > > -murugesan > * This e-mail, including any attachments to it, may contain confidential and/or personal information. If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the information contained within it. Please notify the sender immediately by return e-mail of the error and then delete the original e-mail. The information contained within this e-mail may be solely the opinion of the sender and may not necessarily reflect the position, beliefs or opinions of Salmat on any issue. This email has been swept for the presence of computer viruses known to Salmat's anti-virus systems. For more information, visit our website at www.salmat.com.au. * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to open random Flash page with hyperlink?
Thanks for the information. In the code you provided if ((!$passwd) || (!$username)) // user hasnt logged in { . Actually I have implemented this in a separate page. That is upon sign up of the in the index page I call a new page auth.php In that file I have done this authentication and called the function header ("Location: /main.php?empid=$empid&pwd=$pwd"); Actually when passing this URL the password appears in the address bar. How to over come this? It will be very much usefull if I get the answer. Thanks in advance -Murugesan - Ok lets say you want every user to login before they can access other parts of your site. index.php: window.location='main.php' "; } } ?> main.php: window.location='index.php' "; } else { // display page ... } ?> if a user tries to access main.php directly without logging in they will be redirected to index.php checkout http://www.php.net/manual/en/ref.session.php for more information > > > Thanks for the message. > Can you please tell me how to do session authentication?. > > -murugesan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How to open random Flash page with hyperlink?
Murugesan, Ok lets say you want every user to login before they can access other parts of your site. index.php: window.location='main.php' "; } } ?> main.php: window.location='index.php' "; } else { // display page ... } ?> if a user tries to access main.php directly without logging in they will be redirected to index.php checkout http://www.php.net/manual/en/ref.session.php for more information > -Original Message- > From: murugesan [mailto:[EMAIL PROTECTED] > Sent: Friday, 22 August 2003 20:04 > To: Cody Phanekham; [EMAIL PROTECTED] > Subject: Re: [PHP] How to open random Flash page with hyperlink? > > > Thanks for the message. > Can you please tell me how to do session authentication?. > > -murugesan * This e-mail, including any attachments to it, may contain confidential and/or personal information. If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the information contained within it. Please notify the sender immediately by return e-mail of the error and then delete the original e-mail. The information contained within this e-mail may be solely the opinion of the sender and may not necessarily reflect the position, beliefs or opinions of Salmat on any issue. This email has been swept for the presence of computer viruses known to Salmat's anti-virus systems. For more information, visit our website at www.salmat.com.au. * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to open random Flash page with hyperlink?
Thanks for the message. Can you please tell me how to do session authentication?. -murugesan - Original Message - From: "Cody Phanekham" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 22, 2003 10:05 AM Subject: FW: [PHP] How to open random Flash page with hyperlink? -Original Message- > From: murugesan [mailto:[EMAIL PROTECTED] > some more changes > > Murugesan, both ways are correct. Its just that i'm used to using the short open tag :) <http://au.php.net/manual/en/configuration.directives.php#ini.short-open-tag > http://au.php.net/manual/en/configuration.directives.php#ini.short-open-tag short_open_tag <http://au.php.net/manual/en/language.types.boolean.php> boolean Tells whether the short form () of PHP's open tag should be allowed. If you want to use PHP in combination with XML, you can disable this option in order to use inline. Otherwise, you can print it with PHP, for example: . Also if disabled, you must use the long form of the PHP open tag (). Note: This directive also affects the shorthand mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]> To: < <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]> Sent: Friday, August 22, 2003 9:32 AM Subject: RE: [PHP] How to open random Flash page with hyperlink? Phillip, pretty close. only a few things that are missing/incorrect. my corrections are marked by a # > -Original Message- > From: Phillip Pang [mailto:[EMAIL PROTECTED] > // random_menu.html > > $i = rand(0,3); > ?> > > > > http://www.x.com/random.php?i=$i> www.x.com/random.php?i=$i">x # you need to go back to php mode to use $i http://www.x.com/random.php?i> www.x.com/random.php?i=">x > > > --- > > // random.php > > $i = $_post["i"]; # im pretty sure the value would be past via the GET method as the user would be clicking the hyperlink, so it should look like $i = $_GET["i"]; > > if ($i = = 0){ # there shouldnt be any spaces for the comparison if ($i == 0){ > $value = "a"; > } > else if ($i = = 1){ # there shouldnt be any spaces for the comparison else if ($i == 1){ > $value = "b"; > } > ...etc. # dont forget to get out of php mode ?> > > > > > # need to go back to php mode to use $value > # need to go back to php mode to use $value > > > > Please help if you know how to do this. Thanks in advance. > > phil* -murugesan * This e-mail, including any attachments to it, may contain confidential and/or personal information. If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the information contained within it. Please notify the sender immediately by return e-mail of the error and then delete the original e-mail. The information contained within this e-mail may be solely the opinion of the sender and may not necessarily reflect the position, beliefs or opinions of Salmat on any issue. This email has been swept for the presence of computer viruses known to Salmat's anti-virus systems. For more information, visit our website at www.salmat.com.au. * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to open random Flash page with hyperlink?
Hello some more changes -murugesan - Original Message - From: "Cody Phanekham" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 22, 2003 9:32 AM Subject: RE: [PHP] How to open random Flash page with hyperlink? Phillip, pretty close. only a few things that are missing/incorrect. my corrections are marked by a # > -Original Message- > From: Phillip Pang [mailto:[EMAIL PROTECTED] > // random_menu.html > > $i = rand(0,3); > ?> > > > > x # you need to go back to php mode to use $i x > > > --- > > // random.php > > $i = $_post["i"]; # im pretty sure the value would be past via the GET method as the user would be clicking the hyperlink, so it should look like $i = $_GET["i"]; > > if ($i = = 0){ # there shouldnt be any spaces for the comparison if ($i == 0){ > $value = "a"; > } > else if ($i = = 1){ # there shouldnt be any spaces for the comparison else if ($i == 1){ > $value = "b"; > } > ...etc. # dont forget to get out of php mode ?> > > > > > # need to go back to php mode to use $value > # need to go back to php mode to use $value > > > > Please help if you know how to do this. Thanks in advance. > > phil* -murugesan
RE: [PHP] How to open random Flash page with hyperlink?
Phillip, pretty close. only a few things that are missing/incorrect. my corrections are marked by a # > -Original Message- > From: Phillip Pang [mailto:[EMAIL PROTECTED] > // random_menu.html > > $i = rand(0,3); > ?> > > > > x # you need to go back to php mode to use $i x > > > --- > > // random.php > > $i = $_post["i"]; # im pretty sure the value would be past via the GET method as the user would be clicking the hyperlink, so it should look like $i = $_GET["i"]; > > if ($i = = 0){ # there shouldnt be any spaces for the comparison if ($i == 0){ > $value = "a"; > } > else if ($i = = 1){ # there shouldnt be any spaces for the comparison else if ($i == 1){ > $value = "b"; > } > ...etc. # dont forget to get out of php mode ?> > > > > > # need to go back to php mode to use $value > # need to go back to php mode to use $value > > > > Please help if you know how to do this. Thanks in advance. > > phil* hope that helps Cody * This e-mail, including any attachments to it, may contain confidential and/or personal information. If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the information contained within it. Please notify the sender immediately by return e-mail of the error and then delete the original e-mail. The information contained within this e-mail may be solely the opinion of the sender and may not necessarily reflect the position, beliefs or opinions of Salmat on any issue. This email has been swept for the presence of computer viruses known to Salmat's anti-virus systems. For more information, visit our website at www.salmat.com.au. * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php